Pathtrust

QNX SDP8.0QNX OS System Security GuideAPIConfiguration

The pathtrust feature prevents processes from executing untrusted code. If a process is compromised, pathtrust mitigates the threat of the system being further compromised by an attacker using chained-together exploits.

For example, pathtrust can mitigate a Return-Oriented Programming (ROP) attack that chains existing instructions to initiate a system call that points to an attacker's binary executable that is persisted somewhere on a non-trusted filesystem. (This filesystem is usually a read/write partition where data is stored.)

Actions managed by pathtrust

  • Binary execution — The process loader loads and executes a native binary.
  • Library loading — The process loader loads libraries when a native binary is executed or as a result of a dlopen() call.

How pathtrust works

The following diagram illustrates how pathtrust reacts when a process attempts one of the actions that pathtrust manages.

Pathtrust and setuid and setgid bits on the filesystem

When pathtrust is enabled, the setuid or setgid bits on untrusted files or files from untrusted filesystem resource managers are ignored. All untrusted filesystems are implicitly mounted with -o nosuid and a resource manager cannot provide a setuid binary unless it is authorized. (See mount in the Utilities Reference).

Using pathtrust on a system

The pathtrust feature requires the following configuration and settings:
  • Start procnto with -qt (see procnto* in the Utilities Reference).
  • The devb-* process that mounts a filesystem as trusted has the PROCMGR_AID_PATH_TRUST ability. If the system is not using security policies, you have to allow and lock this ability for devb-*.

  • The filesystem is mounted on an integrity protected partition such as QNX Trusted Disk (QTD).

    Note: The primary IFS is implicitly trusted at all times. Its integrity protection can be provided by secure boot (see Secure boot).

    Make sure that only filesystems that fully qualify as trusted are mounted as trusted, not simply ones that have integrity protection.

    For example, your system has a third-party app store that places the apps in a filesystem protected by QTD to ensure their integrity. Although the partition is integrity protected, because the apps themselves are not trusted, you should not mount the filesystem as trusted.

  • The process that executes mount with the 'trusted' mount flag (specified with the -o trusted option) has the PROCMGR_AID_PATH_TRUST ability.
Note: mkqnximage supports the --pathtrust option, which demonstrates how to enable this feature.

Selecting resources to trust

Use the following best practices for trusted processes and filesystems:
  • Put programs that you build yourself or come from a trusted supplier (e.g., QNX) in a filesystem that is mounted as trusted.
  • Programs that come from third parties that have no reason to be trusted should be put in filesystems that are not mounted as trusted.
  • In most cases, trusted programs should be run from filesystems mounted as trusted and not given the PROCMGR_AID_UNTRUSTED_EXEC ability. Untrusted programs, such as third-party applications, should be run from filesystems that are not mounted as trusted and given the PROCMGR_AID_UNTRUSTED_EXEC ability.
  • QNX recommends that interpreters for languages such as Python not be put in trusted filesystems because although pathtrust protects against the Python binary being loaded, it does not prevent the execution of untrusted Python scripts.

Example

# Mount the integrity protected partition that uses QNX Trusted Disk
mount -t qtd -o trusted,key=/path/to/public.pem /partition /qtd

# Mount the QNX6 filesystem protected by QTD
mount -t qnx6 -o ro,trusted /qtd /fs

Use the mount -f and df -g commands to display the 'trusted' mount option on mountpoints where it is enabled.

Page updated: